Saturday, February 26, 2005

This last week was spent developing a proof of concept the integration of an "Authorization Authority" into our service framework. I wanted to share the general messaging approach of the POC, while I work on cleaning the .NET solution up enough to post in it's entirety.

There are four messages represented in the Authorization Authority use case scenarios. The first two are the request / response pair demonstrating communication between a service consumer and the Authorization Authority. The second two messages are the request / response pair demonstrating a consumer to service provider communication.

The first message is the test client (consumer) calling the authorization authority to request a particular user’s authorization credentials. The message is in the form of a SOAP envelope and is signed by the consumer as a means of allowing the authorization authority to authenticate the requesting application. The key data provided in this example is the end user’s user ID.

The second message is the authorization authority’s response to the authorization data request. The response comes in the form of a custom XML element named “sasauth:Token”. “sasauth” is the prefix representing a custom SunGard namespace (http://www.sungard.com/servicemanagement/authorization). Inside that “Token” element, we have encapsulated a SAML assertion document. The entire “Token” element has also been signed using the XML-Signature enveloped signature transform. This allows any application to trust that the “Token” element was originated from the authorization authority, and has not been tampered with at any point since the issuance of the token.

The third message demonstrates the inclusion of the “sasauth:Token” within the WS-Sec node of a SOAP request. The body of the message is also signed, and that signature is included within the WS-Sec node as well.

The fourth message shows a simple SOAP response document. However, the content of the result value is significant, in that it demonstrates the generic service evaluating the SAML assertions contained within the “sasauth:Token”.